[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)

Tobias Markmann tmarkmann at googlemail.com
Tue Aug 25 10:40:39 UTC 2009


On Tue, Aug 25, 2009 at 8:18 AM, Kevin Smith <kevin at kismith.co.uk> wrote:

> > 4. Do you have any security concerns related to this specification?
>
> Only in as much as it's a great big file with everyone's passwords in.


Sure there are little servers supporting it and there doesn't seem to be
huge demand for it but maybe one should add support for other encodings for
the password. Currently it seems you have to use plaintext there.
For example one could also allow storage of the password via two values(one
for UTF8 and one for ISO 8859-1) of
H( { username-value, ":", realm-value, ":", passwd } ) as it is used in
Digest-MD5 mechanism.

Similar method should be possible for future SCRAM mechanism.

Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20090825/7577f09d/attachment.html>


More information about the Standards mailing list